WebApp Sec mailing list archives
Re: Should login pages be protected by SSL?
From: Amir Herzberg <herzbea () macs biu ac il>
Date: Tue, 21 Jun 2005 12:07:34 +0200
Andrew van der Stock wrote:
Depends on the value of the system in use.
...
OTOH, where the login leads to private data, such as your name and address, I feel that corporations have a duty of care to protect your data under the various privacy acts around the world. The cost of a certificate is much less than potential litigation, or more to the point, reputation loss if someone discovers a way around it.I agree, and indeed, my focus in on really sensitive sites esp. banks. So it seems we are in agreement. I think most (or all??) security experts really agree here, but since some of the companies object, I am interested to see if there are some serious defenses of the unprotected login practice.
However, if it's a shopping cart type of thing, like Amazon, the thing that should be SSL is not the browsing of goods, but the transactions, particularly the credit card and address details.
Agreed...
The Visa/MC PCI guidelines are quite stringent on applying reasonable controls to this data.Well, actually, I've worked with the card people a lot but am not aware of a specific requirement to use SSL to protect the form sent to the consumer and not just to protect the CC# in transit. Do you know? If you can give me some reference, I'll appreciate. I can also ask my contacts. I am very interested, as one of the companies which uses unprotected login is Amex, and in fact we had a long argument with them on these questions...
In the case of Amazon 1-click, then effectively the 1-click is the thing requiring protection, so some form of control around that is also required.Well, it is unfortunate that the 1-click login in Amazon is unprotected, see http://AmirHerzberg.com/shame.html...
<skip> -- Best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.comNew: see my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame.html
Current thread:
- Should login pages be protected by SSL? Amir Herzberg (Jun 20)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 20)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 21)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? (and comment to moderator) Andrew van der Stock (Jun 21)
- Re: PCI standards & Should login pages be protected by SSL? Peter Watkins (Jun 21)
- RE: PCI standards & Should login pages be protected by SSL? Lyal Collins (Jun 22)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 20)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- [summary] Re: Should login pages be protected by SSL? Steve Shah (Jun 22)
- Re: [summary] Re: Should login pages be protected by SSL? Ole Kasper Olsen (Jun 23)